Monero Miner Infects Hundreds of Windows Servers

Hundreds of servers have been infected with Monero mining malware after miscreants managed to exploit a vulnerability in Microsoft IIS 6.0, ESET warns.

The infection campaign has been ongoing since at least May 2017 and has resulted in the attackers creating a botnet and mining over $63,000 worth of Monero (XMR) to date. The actors behind this campaign modified a legitimate open source Monero mining software and installed it on unpatched servers.

The malicious software used in this campaign is a fork of a legitimate open source Monero CPU miner called xmrig, which was released in May 2017. The crooks simply copied the original open source codebase and made only a few changes to it when creating their mining tool.

Specifically, they only added hardcoded command line arguments of their own wallet address and mining pool URL. They also included arguments to kill all previously running instances of the software itself, an operation that couldn’t have taken the crooks more than several minutes, ESET notes.

The malware distribution was performed via brute-force scans for the CVE-2017-7269 vulnerability from two IP addresses that point to servers in the Amazon Web Services cloud. The security flaw resides in the WebDAV service, part of Microsoft IIS version 6.0, the webserver in Windows Server 2003 R2.

“This vulnerability is especially susceptible to exploitation, since it’s located in a webserver service, which in most cases is meant to be visible from the internet and therefore can be easily accessed and exploited by anyone,” the researchers note.

The payload is delivered in the form of an alphanumeric string, as the attackers simply replaced the string leading to execution from the publicly available proof-of-concept.

The researchers also observed that the miner has been appearing in waves since May, which would suggest that the attackers are scanning the Internet for vulnerable machines on a regular basis. The attackers perform the scans from what appears to be a machine hosted on an Amazon cloud server.

Because Microsoft ended regular support for Windows Server 2003 in July 2015, a patch for the vulnerability was released only in June 2017. Furthermore, as the update process for the platform isn’t always easy, many systems continue to be vulnerable.

As part of this campaign, the infected machines were making around XMR 5.5 daily by the end of August, and supposedly made more than XMR420 (around $63,000) in total over the course of three months.

Although very active at the end of August, the attackers have gone quiet since the beginning of September, with no new infections observed. Moreover, the miner lacks a persistence mechanism and the botnet has been losing compromised machines.

Although the total number of victims isn’t known, ESET estimates that hundreds of servers were compromised, based on the total hash rate produced by the attacker.

“We see that minimal know-how together with very low operating costs and a low risk of getting caught – in this case, misusing legitimate open-source cryptocurrency mining software and targeting old systems likely to be left unpatched – can be sufficient for securing a relatively high outcome,” ESET concludes.